Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
522 Commits 3 Branches 1 Tag
6f3bdd81e877ee4c0b85b531f86c518ce6053753
Commit Graph

388 Commits

Author SHA1 Message Date
Hartmut 6f3bdd81e8 perf(api): add explicit Prisma selects on hot read paths 
Replaces full model includes with field-scoped selects on the resource
list (listStaff) query. Avoids fetching large JSONB columns
(availability, valueScoreBreakdown) and unused scalar fields (aiSummary,
portfolioUrl, fte, resourceType, postalCode, etc.) when only
identity/rate fields are needed.

Adds RESOURCE_LIST_SELECT constant to packages/api/src/db/selects.ts
covering all fields actually consumed by ResourcesClient, FillOpenDemandModal,
EstimateWizard, EstimateWorkspaceDraftEditor, and ScenarioPlanner.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-09 19:24:55 +02:00
Hartmut d3bfa8ca98 test(mfa): full MFA test coverage — unit + E2E 
Unit tests (packages/api — 13 tests):
- generateTotpSecret: DB write, returns secret + uri
- verifyAndEnableTotp: valid token enables; invalid/already-enabled/no-secret guards
- verifyTotp (login): valid → ok; invalid → UNAUTHORIZED; not-enabled → BAD_REQUEST
- getCurrentMfaStatus: reads totpEnabled flag

E2E tests (apps/web/e2e/dev-system/mfa.spec.ts — 7 scenarios):
- Setup flow: generate secret, enable with valid code, reject invalid code, UI QR check
- Login flow: MFA prompt appears, valid code logs in, wrong code shows error + stays on prompt
- Login without MFA: no TOTP prompt for users without MFA enabled

Also: start.sh health-check timeout 30s → 90s (container startup can exceed 30s)

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-04-01 22:30:36 +02:00
Hartmut bfdf0a82da security/platform: close audit findings #19–#26 
Tests, CSP nonce middleware, SSRF guard, perf-route hardening,
Docker env isolation, migration runbook, RBAC E2E coverage.

Tickets resolved:
- #19: MfaSetup.test.ts — static source tests confirming local QR rendering
- #20: ssrf-guard.test.ts (16 tests) + webhook-procedure-support mock fix
- #21: /api/perf route.test.ts (5 tests) — header-only auth, fail-closed
- #22: middleware.ts (nonce-based CSP) + middleware.test.ts (6 tests);
       layout.tsx async + nonce prop; CSP removed from next.config.ts
- #23: Active-session registry enforcement verified (already in codebase)
- #24: docker-compose.yml REDIS_URL hardcoded (no host-env substitution)
- #25: docker-compose.yml REDIS_URL + docs/developer-runbook.md created
- #26: e2e/dev-system/rbac-data-access.spec.ts (12 tests, 3 roles × 4 procedures)

Quality gates: tsc clean, api 1447/1447, web 189/189 passing.
Turbo concurrency capped at 2 (package.json) to prevent OOM under
parallel test runs.

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-04-01 22:14:20 +02:00
Hartmut 5bc7cace26 fix(auth): make active-session check fail-open; add missing DB migration 
The active_sessions table was never migrated to production — the model
was added to the Prisma schema via db push only. prisma migrate deploy
was a no-op because no migration directories existed.

Without the table, prisma.activeSession.findUnique() throws P2021,
crashing the tRPC handler with 500 on every authenticated request.
This silently emptied all admin pages (users, system-roles, etc.).

Changes:
- Wrap the jti ActiveSession lookup in try-catch so the tRPC handler
  degrades gracefully (fail-open) if the table is temporarily missing
- Add packages/db/prisma/migrations/20260401000000_active_sessions/
  so prisma migrate deploy creates the table on next production deploy
  (idempotent via IF NOT EXISTS — safe if table already exists)

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-04-01 18:38:05 +02:00
Hartmut 0e119cfe73 security: close audit findings #19–#23 and harden Docker setup (#24) 
#19 MFA QR code: render locally via qrcode package, remove external qrserver.com request
#20 Webhook SSRF: add ssrf-guard.ts with DNS-verified IP blocklist; enforce on create/update/test/dispatch
#21 /api/perf: fail-closed when CRON_SECRET missing; remove query-string token auth
#22 CSP: remove unsafe-eval and unsafe-inline from script-src in production builds
#23 Active session registry: forward jti into session object; validate against ActiveSession on every tRPC request

#24 Docker: add missing packages/application to Dockerfile.dev; fix pnpm-lock.yaml glob;
    run db:migrate:deploy on container start so a fresh checkout boots without manual steps

Also: fix pre-existing TS error in e2e/allocations.spec.ts (args.length literal type overlap)

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-04-01 18:19:21 +02:00
Hartmut 7277e60691 test(api): widen resource capacity edge coverage 2026-04-01 07:52:40 +02:00
Hartmut 071ea13cc4 test(api): stabilize chargeability stats regression 2026-04-01 07:45:02 +02:00
Hartmut 8c5be51251 feat(platform): checkpoint current implementation state 2026-04-01 07:42:03 +02:00
Hartmut 3e53471f05 refactor(api): split resource read models 2026-04-01 07:38:03 +02:00
Hartmut 41916a4e46 refactor(api): share owned resource read access 2026-04-01 07:35:34 +02:00
Hartmut a0c98cf24d test(api): close assistant split regression gaps 2026-04-01 07:33:00 +02:00
Hartmut f2d65d3cd4 test(api): add assistant split regression runner 2026-04-01 00:51:23 +02:00
Hartmut 254f2caa94 test(api): cover assistant timeline resource selection 2026-04-01 00:44:53 +02:00
Hartmut 3d9d3dd5a7 test(api): cover assistant system role configs 2026-04-01 00:44:42 +02:00
Hartmut 9c58952170 test(api): cover assistant import export tools 2026-04-01 00:44:29 +02:00
Hartmut 67f57e2791 test(api): cover ai client helpers 2026-04-01 00:44:16 +02:00
Hartmut ef282e5e00 test(api): add assistant master data mutation helpers 2026-04-01 00:42:49 +02:00
Hartmut ed021947ad test(api): add assistant timeline allocation mutation helpers 2026-04-01 00:42:43 +02:00
Hartmut 0039a9997a test(api): cover assistant project computation views 2026-04-01 00:42:02 +02:00
Hartmut 22ead3ca3d test(api): cover assistant project cover tools 2026-04-01 00:41:55 +02:00
Hartmut 30b202c391 test(api): cover assistant change history queries 2026-04-01 00:41:46 +02:00
Hartmut 740ef0ecdb test(api): cover assistant master data rate lookup 2026-04-01 00:41:40 +02:00
Hartmut 43c4ad37f3 test(api): cover assistant auth guard 2026-04-01 00:41:31 +02:00
Hartmut f52380dc53 test(api): cover assistant chargeability report 2026-04-01 00:41:26 +02:00
Hartmut 95940f005b test(api): cover assistant budget status 2026-04-01 00:41:17 +02:00
Hartmut 1d4e5c62b0 test(api): cover assistant insights and scenarios 2026-04-01 00:41:09 +02:00
Hartmut 38a7826326 test(api): cover assistant advanced timeline views 2026-04-01 00:38:55 +02:00
Hartmut 8349c5e0b3 test(api): cover assistant advanced resource ranking 2026-04-01 00:38:49 +02:00
Hartmut 248973c87d test(api): cover assistant estimate version status errors 2026-04-01 00:38:15 +02:00
Hartmut c65ae132d3 test(api): cover assistant estimate revision export errors 2026-04-01 00:38:10 +02:00
Hartmut f1427a3f85 test(api): cover assistant estimate planning handoff errors 2026-04-01 00:38:03 +02:00
Hartmut a07057438e test(api): cover assistant estimate weekly phasing errors 2026-04-01 00:37:59 +02:00
Hartmut 7b6a4f6436 test(api): cover assistant estimate commercial term errors 2026-04-01 00:37:45 +02:00
Hartmut 276751c4ca test(api): cover assistant estimate draft errors 2026-04-01 00:37:45 +02:00
Hartmut 0b535a6a5f test(api): cover assistant estimate clone paths 2026-04-01 00:37:45 +02:00
Hartmut 80c31cc53f test(api): cover assistant estimate reads 2026-04-01 00:37:38 +02:00
Hartmut c510eeae37 test(api): cover assistant dispo import tools 2026-04-01 00:36:26 +02:00
Hartmut ef9ec798ed test(api): cover assistant dispo staged resolution 2026-04-01 00:36:22 +02:00
Hartmut 542d61bed3 test(api): cover assistant dispo staged reads 2026-04-01 00:36:17 +02:00
Hartmut e76b4b2cfe test(api): cover assistant timeline project shifts 2026-04-01 00:35:28 +02:00
Hartmut 7949aeb2e4 test(api): cover assistant timeline inline allocation update 2026-04-01 00:35:16 +02:00
Hartmut 3607d73b84 test(api): cover assistant timeline allocation shifts 2026-04-01 00:35:16 +02:00
Hartmut adf25f328f test(api): cover assistant timeline batch quick assign 2026-04-01 00:34:25 +02:00
Hartmut 705b570684 test(api): cover assistant timeline quick assign 2026-04-01 00:34:18 +02:00
Hartmut 2b8e1a1bf1 test(api): cover assistant allocation mutations 2026-04-01 00:33:28 +02:00
Hartmut 3a82a52897 test(api): cover assistant allocation reads 2026-04-01 00:31:51 +02:00
Hartmut 53158dc60d test(api): cover assistant comment tools 2026-04-01 00:30:23 +02:00
Hartmut f6c252be34 test(api): cover assistant client mutations 2026-04-01 00:29:44 +02:00
Hartmut e1228244e9 test(api): cover assistant demand tools 2026-04-01 00:29:07 +02:00
Hartmut 40bf22a01a test(api): cover assistant role mutations 2026-04-01 00:28:30 +02:00